New, dangerous Microsoft JPEG exploit released

New computer code that exploits a recently disclosed hole in Microsoft's Internet Explorer Web browser is circulating on the Internet and could allow remote attackers to take full control of vulnerable Windows machines, according to warnings from antivirus companies and Internet security experts.

Two new "proof of concept" exploit programs first appeared Wednesday, and were posted to Web sites and Internet news groups frequented by security experts. The new code is more dangerous than an exploit for the vulnerability that appeared earlier in the week, since it allows malicious hackers to run their own code on vulnerable machines, instead of just freezing or crashing Windows systems, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

The two new exploits were published on Wednesday on security discussion list Full-Disclosure and have also appeared on, a French language Web site that specializes in software exploits, Ullrich said.

The exploits take advantage of a flaw in the way Microsoft applications process JPEG image files, a common format for displaying images on the Web. Microsoft designated the flaw a "critical" problem and released a software patch for it, MS04-028, on Sept. 14. A Windows user would have to open a JPEG file that had been modified to trigger the flaw using a wide range of applications, such as the Internet Explorer Web browser or Outlook e-mail client.

The exploits create a JPEG file formatted to trigger an overflow in a common Windows component called Gdiplus.dll, used by Windows, Internet Explorer, Outlook and other applications, said Elia Florio, a computer engineer living in Rome who created the exploits and posted them to Full Disclosure, in an interview with IDG News Service.

The first exploit opens a command shell on a vulnerable Windows system when the rigged JPEG file is opened using Windows Explorer, an application for browsing file directories on Windows systems. While that, in itself, is not damaging, a remote attacker could easily add malicious commands to the script that would run on the affected system, Ullrich said.

The second exploit, which was published late Wednesday, East Coast time in the U.S., further modifies the attack code to add a new administrator-level account, named simply "X," to affected Windows systems when a JPEG file is opened through Windows Explorer. The account could then be used by the attacker to log in to the machine using standard Windows networking features, he said.

In both cases, malicious commands could only be executed using the permission level of the user running Windows Explorer, he said.

The new exploits could be spread by a virus in corrupted JPEG images sent as e-mail attachments or served from Web sites. In fact, the scripts could be used to dynamically modify JPEG files as they are sent from a Web server, provided the attacker was able to access the Web server sending the images and place the attack script on it, Ullrich said.

While the new exploits work when the JPEGs they create are opened in Windows Explorer, they only crash Windows systems when opened in Internet Explorer or Outlook. However, the scripts could be modified to work with most versions of Microsoft's operating system applications, Florio said.

On Thursday, antivirus software company Symantec increased its severity rating on the JPEG vulnerability to 9.2 out of 10, noting the release of a new exploit that provides a command shell.

Newly released virus signatures from antivirus software companies have been successful at spotting JPEGs that attempt to trigger the MS04-028 flaw, Ullrich said. Windows users are encouraged to download and install the latest software patch from Microsoft and to update their antivirus definitions as soon as possible, he said.

Despite releasing the exploits, Florio said he does not intend them to be used in a malicious way.

The exploits are not suited to be used immediately by low-skilled computer hackers, commonly known as "script kiddies," and would need to be modified by a knowledgeable programmer before they could be used in widespread attacks, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?